New Computer? Six Steps to Safer Surfing

A better than average news article helping people keep their new
computers secure. It is much easier to prevent your computer getting
infected, than it is curing your computer afterwards.

http://www.washingtonpost.com/wp-dyn/articles/A9658-2004Dec18.html

I wouldn't rely on software firewalls. At the same store you buy your
computer, also buy a hardware firewall. Hopefully soon the motherboard
and NIC manufacturers will start including built-in hardware firewalls.
But sometimes, such as dialup modems, software firewalls are the only
alternative.

Just asking .. any idea how many cable / dsl operators around the
world - not just in the USA - provide hardware firewalls along with
their CPE equipment - or perhaps provide CPE equipment that's capable
of firewalling?

Quite a few ISPs that I know of tend to hand out dsl routers with, at
the most, basic NAT / PAT capablities, and maybe a CD with a 30 day
trial versions of an antivirus program, along with other stuff.

How many dialup operators around the world provide hardware firewalls? Or
is the modem built into your computer or bought as an add-on card?

Not a valid comparison.

At least some manufacturers make hardware firewalls that are also
PPPoE / PPPoA dsl modems. Linksys for example. Several other
manufacturers don't do this.

well, i think the dial angle is important to keep in mind..

  while a lot of us have migrated to higher speed links at home,
on my street here's the high speed choices:

  1) ISDN
  2) T1
  3) Satellite
  4) 22.4k dialup (if lucky)

  #1 and #2 aren't very likely in a residental location

  #3 directv and others offer a service, but you're usually
natted in the first place, so you're ok.

  everyone out here has #4.

  i also talk to a lot of people that don't consider their
machine a problem since they're on dial-up. "oh, what harm could
they do with my piddly computer on a modem".

  22.4k*500 compromised hosts still starts to add up, which is
something that doesn't quite sink in with these people.

  they just don't see any value in patching their system since it
would be forever to download them, and they're too lazy to order a CD
or such from Microsoft (Thank you for offering the CDs!).

  I don't know how to reach these people. I've gotten my immediate
family to understand to keep their systems patched. Now for the
rest of the population that doesn't feel this is important..

  - jared

Suresh Ramasubramanian wrote:

Just asking .. any idea how many cable / dsl operators around the
world - not just in the USA - provide hardware firewalls along with
their CPE equipment - or perhaps provide CPE equipment that's capable
of firewalling?

Both regional cable providers in our area provide only cheap cable modems, and at least the ILEC CO's DSL is also basic modem-like capability, although the ILEC offers a wireless option with a DSL AP (that I haven't examined to see if it's a router or bridge).

At least one of the cable providers provides free virus/firewall software (F-Secure).

Don't know of any hardware security offerings bundled or offered.

Jeff

Why isn't a valid comparison? Since Carterphone, you are not required to
buy CPE from a telecommunications company in the USA. That includes
modems. Cable has different laws, but also has an "open cable equipment"
requirement. A consumer can buy a compatible Dialup/DSL/Cable modem from
any consumer electronic store.

The buzzword you need to look for is "modem" versus "gateway."

Gateways generally have both modems and routers, and now firewalls.
Modems are just modems.

As you point out, you can buy gateways with built-in DSL or Cable modems
as well as routing and firewall capabilities such as Motorola, Linksys,
D-Link, 2wire, Cisco, etc. Some manufactures, such as Apple AirPort
Extreme, also make dialup gateways with dialup modem PPP and firewall
capabilities.

Its a myth that dialup is "safer" than broadband.

Essentially all the major DSL and Cable broadband providers in the USA
sell/lease broadband gateways with built-in DSL or Cable modems and
firewalls. Looking at the ordering web-sites for several major broadband
providers, it appears the most common preferred equipment package is a
WiFi home gateway with built-in dsl or cable modem and firewall. Its as
simple as calling your favorite broadband provider, placing an order and
giving them your credit card number to pay for the equipment.

Most broadband providers also offer less expensive modem-only CPE. And,
because of Carterphone, people can buy their CPE from other sources. Even
if providers only sold CPE with firewalls, consumers could choose to save
$50 and buy a modem-only CPE without a firewall from a consumer
electronics store.

Or are you suggesting we should overturn Carterphone in the USA, and
require consumers use only telecommunication carrier provided CPE? Maybe
Ma Bell was right after all.

Hopefully soon people will start running operating systems, web browsers,
and email clients where they have no need for a "personal firewall".

(Or, with luck, certain vendors will fix their buggy software)

Essentially all the major DSL and Cable broadband providers in the USA
sell/lease broadband gateways with built-in DSL or Cable modems and
firewalls. Looking at the ordering web-sites for several major broadband
providers, it appears the most common preferred equipment package is a
WiFi home gateway with built-in dsl or cable modem and firewall. Its as
simple as calling your favorite broadband provider, placing an order and
giving them your credit card number to pay for the equipment.

Well Sean - that's right. However that doesnt seem to be universal.

Quoting Jeff Kell -

Both regional cable providers in our area provide only cheap cable
modems, and at least the ILEC CO's DSL is also basic modem-like
capability, although the ILEC offers a wireless option with a DSL AP
(that I haven't examined to see if it's a router or bridge).

I'm not suggesting that Carterphone be overturned. I was wondering
how many people were providing reasonably secure gateways as CPE
instead of el cheapo modem only CPE as a default.

Defaults, especially in this sort of situation, tend to remain that
way .. Joe Average with a DSL line and a winxp box to hook up to it
just isnt going to bother.

But give him a reasonably sane default package like this and he's a
bit more protected against stuff that tries to take over his PC, and
the internet has to deal with one trojaned PC less. Drops in the
bucket and all that ...

regards
--srs

So when the majority of people begin using a different operating system, is
there some reason that the majority of virus-writers or other malcontents
wouldn't focus on the flaws there?

Or are we stuck in this little bubble thinking that unix REALLY is THAT
secure?

Perhaps it is, but my viewpoint is that it's really shortsighted to make
this assumption. Just because it hasn't happened yet doesn't mean that it
can't. Wolves go where the sheep are plentiful and less protected. As they
get hungry, they'll go other places.

Just my two cents.

Scott

Some manufactures, such as Apple AirPort Extreme, also make dialup gateways with dialup modem PPP and firewall capabilities.

Actually the Airport Extreme doesn't do firewalling.

Its a myth that dialup is "safer" than broadband.

Well, everything takes longer, including getting infected.

But why are we discussing this again, for the 2^56th time? People on this list either know how to do the right thing (with or without a firewall), or are too stubborn to, regardless of having all the relevant information.

As for the people who aren't on this list, the majority of them don't care, so let's wait until they start to, and do something that's more useful and more fun in the mean time.

And:

NIC manufacturers will start including built-in hardware firewalls.

You're kidding, right?

If the NIC filter is easy to configure in software, it's just hardware support for software firewalling which you don't believe in. If the NIC filter isn't easy to configure in software, people can no longer use their unsafe protocols even on LANs, defeating the purpose of these unsafe protocols (conspiracy nuts may believe the purpose of these protocols is their WAN mis-use, of course).

Iljitsch van Beijnum <iljitsch@muada.com> writes:

Some manufactures, such as Apple AirPort Extreme, also make dialup
gateways with dialup modem PPP and firewall capabilities.

Actually the Airport Extreme doesn't do firewalling.

It does PNAT and port forwarding to an inside IP address with
remapping. This matches with the vernacular use of the term
"firewall". I've not tried to get it to route a subnet; I'm not even
sure if it's possible.

If you want to be pedantic and completely arbitrary in use of your
definitions I suppose you could say that the Airport Extreme fares
poorly in the ASTM E119 tests and therefore "doesn't do firewalling".

                                        ---Rob

Some manufactures, such as Apple AirPort Extreme, also make dialup
gateways with dialup modem PPP and firewall capabilities.

Actually the Airport Extreme doesn't do firewalling.

It does PNAT and port forwarding to an inside IP address with
remapping. This matches with the vernacular use of the term
"firewall".

If you say so...

I've not tried to get it to route a subnet; I'm not even
sure if it's possible.

Not as far as I can tell. But being a base station, it can act as a switch. In this mode, it's completely transparent (unless you count rate limiting multicasts...). And even with NAT there is no way to filter outgoing traffic.

There is a lot of wishful thinking, but security people seem to be
very bad about actually testing their theories to see if they are
effective. A lot of snake-oil gets sold using the theory it can't hurt.

Many Home/SOHO PC's are self-infected by the owners. Network firewalls
and anti-virus software are very poor at preventing that. The really
scary thing is the infection rate of Home/SOHO computers with
AV/firewalls is higher than "naked" computers.

What's more interesting is the highest infection rate of all is for homes
with laptop/mobile computers. Even when your home broadband modem/gateway
has a firewall, when you take your laptop out of the home you lose
what little protection you had. Then you bring the infection back inside
and infect all your other home computers behind the gateway/firewall.
The crunchy outside, soft-chewy inside rule applies to home computers too.

Perhaps, then, one should not be so quick to disparage software-based
firewalls, resident on the computer itself.

After all, there is really no such thing as a "hardware-based" firewall.
bugtraq has plenty of reports of software bugs in firewalls resident on
dedicated hardware.

"Defense in depth" would suggest using both.

er, so having no firewall or antivirus software on your home broadband
connection with an XP box hooked onto it would be just as safe as an
XP box having $software_fw and frontended by $hw_firewall that at
least does NAT and a bit of packet filtering on the side?

I'd be interested in seeing the study you're quoting ..

thanks
--srs

Sean Donelan wrote:

...the infection rate of Home/SOHO computers with AV/firewalls is higher than "naked" computers.

please, where does this information come from? are you sitting on proof that the Home AV/Security industry is *complete* FUD?

What's more interesting is the highest infection rate of all is for homes
with laptop/mobile computers.

is that so? please, where does *this* information come from? it might seem intuitively correct, but i'd like to see some numbers and other data to back these claims up.

thanks

-d

* Barney Wolff:

> Perhaps, then, one should not be so quick to disparage software-based
> firewalls, resident on the computer itself.

Yes, but it's only a real obstacle if the malware doesn't run with
SYSTEM privileges. If it's impossible for home users to work with
reduced privileges, a host-based filter is no good (unless it's a very
obscure brand which is not targeted by the malware 8-).

In general, home firewalls are better at preventing infection than
containing it. That's true no matter where the firewall resides.

By the way, do you know if these "hardware firewalls" have a
management interface on a factory-default IP address?

192.168.0.1 admin/admin is a good bet.

I am very interested in "where" this informatio is published and how it was
obtained....

Sean Donelan wrote:

...the infection rate of Home/SOHO computers with AV/firewalls is higher than "naked" computers.

please, where does this information come from? are you sitting on proof that the Home AV/Security industry is *complete* FUD?

What's more interesting is the highest infection rate of all is for homes
with laptop/mobile computers.

is that so? please, where does *this* information come from? it might seem intuitively correct, but i'd like to see some numbers and other data to back these claims up.

thanks

-d

How 'bout this data: Stupid people get viruses more than smart people. There will always be viruses, there will always be stupid people. What does this have to do with network operations?

Are we, as network operators, supposed to protect people (stupid or not) from themselves?

-Jerry